Module/Rule.ProcessMitigation/Convert/Methods.ps1

# Copyright (c) Microsoft Corporation. All rights reserved.
# Licensed under the MIT License.
#region Method Functions
<#
    .SYNOPSIS
        Retreives the mitigation target name from the check-content element in the xccdf
 
    .PARAMETER CheckContent
        Specifies the check-content element in the xccdf
#>

function Get-MitigationTargetName
{
    [CmdletBinding()]
    [OutputType([string])]
    param
    (
        [Parameter(Mandatory = $true)]
        [AllowEmptyString()]
        [string[]]
        $CheckContent
    )

    Write-Verbose "[$($MyInvocation.MyCommand.Name)]"

    try
    {
        switch ($CheckContent)
        {
            {$CheckContent -match "Get-ProcessMitigation -System"}
            {
                $executableMatch = 'System'
                return $executableMatch
            }

            {$CheckContent -match "Get-ProcessMitigation -Name chrome.exe"}
            {
                $executableMatch = 'chrome.exe'
                return $executableMatch
            }

            default
            {
                $executableMatch = $checkContent -split (":")
                return $executableMatch[0]
            }
        }
    }
    catch
    {
        Write-Verbose "[$($MyInvocation.MyCommand.Name)] Mitigation Target Name : Not Found"
        return $null
    }
}

<#
    .SYNOPSIS
        Retreives the mitigation policy name from the check-content element in the xccdf
 
    .PARAMETER CheckContent
        Specifies the check-content element in the xccdf
#>

function Get-MitigationType
{
    [CmdletBinding()]
    [OutputType([string[]])]
    param
    (
        [Parameter(Mandatory = $true)]
        [AllowEmptyString()]
        [string[]]
        $CheckContent
    )

    Write-Verbose "[$($MyInvocation.MyCommand.Name)]"

    try
    {
        $mitigationType = ($CheckContent | Select-String -Pattern $regularExpression.MitigationType -AllMatches).Matches.Value | Select-Object -Unique

        if ($mitigationType -eq "CFG")
        {
            $mitigationType = "ControlFlowGuard"
        }

        if ($mitigationType -eq "Child Process")
        {
            $mitigationType = "ChildProcess"
        }

        return $mitigationType
    }
    catch
    {
        Write-Verbose "[$($MyInvocation.MyCommand.Name)] Mitigation Types : Not Found"
        return $null
    }
}

<#
    .SYNOPSIS
        Retreives the mitigation policy name from the check-content element in the xccdf
 
    .PARAMETER CheckContent
        Specifies the check-content element in the xccdf
#>

function Get-MitigationName
{
    [CmdletBinding()]
    [OutputType([string])]
    param
    (
        [Parameter(Mandatory = $true)]
        [AllowEmptyString()]
        [string[]]
        $CheckContent
    )

    Write-Verbose "[$($MyInvocation.MyCommand.Name)]"

    try
    {
        $mitigationName = ($CheckContent | Select-String -Pattern $regularExpression.MitigationName -AllMatches).Matches.Value | Select-Object -Unique

        if ($mitigationName -eq "Override DEP")
        {
            $mitigationName = "OverrideDep"
        }

        return $mitigationName
    }
    catch
    {
        Write-Verbose "[$($MyInvocation.MyCommand.Name)] Mitigation Name : Not Found"
        return $null
    }
}

<#
    .SYNOPSIS
        Retreives the mitigation policy name from the check-content element in the xccdf
 
    .PARAMETER CheckContent
        Specifies the check-content element in the xccdf
#>

function Get-MitigationValue
{
    [CmdletBinding()]
    [OutputType([string])]
    param
    (
        [Parameter(Mandatory = $true)]
        [AllowEmptyString()]
        [string[]]
        $CheckContent
    )

    Write-Verbose "[$($MyInvocation.MyCommand.Name)]"

    try
    {
        $mitigationValue = ($CheckContent | Select-String -Pattern $regularExpression.MitigationValue -CaseSensitive).Matches.Value

        if ($mitigationValue -match 'ON|True')
        {
            $mitigationValue = 'true'
        }
        else
        {
            $mitigationValue = 'false'
        }

        return $mitigationValue
    }
    catch
    {
        Write-Verbose "[$($MyInvocation.MyCommand.Name)] Mitigation Value : Not Found"
        return $null
    }
}

<#
    .SYNOPSIS
        Check if the string (MitigationTarget) contains a comma. If so the rule needs to be split
#>


function Test-MultipleProcessMitigations
{
    [CmdletBinding()]
    [OutputType([bool])]
    param
    (
        [Parameter(Mandatory = $true)]
        [psobject]
        $CheckContent
    )

    $matchTargets = ($CheckContent | Select-String -Pattern $regularExpression.MitigationTarget -AllMatches).Matches.Value | Select-Object -Unique
    $matchTypes = ($CheckContent | Select-String -Pattern $regularExpression.MitigationType -AllMatches).Matches.Value | Select-Object -Unique
    $matchNames = ($CheckContent | Select-String -Pattern $regularExpression.MitigationName -AllMatches).Matches.Value | Select-Object -Unique

    if (($matchTargets.count -gt 1) -or ($matchTypes.count -gt 1) -or ($matchNames.count -gt 1))
    {
        return $true
    }
    return $false
}



<#
    .SYNOPSIS
        Consumes a list of mitigation targets seperated by a comma and outputs an array
#>

function Split-MultipleProcessMitigations
{
    [CmdletBinding()]
    [OutputType([System.Collections.ArrayList])]
    param
    (
        [Parameter(Mandatory = $true)]
        [psobject]
        $CheckContent
    )

    $matchNamesGroup = @()
    $processMitigations = @()
    $matchTargets = ($CheckContent | Select-String -Pattern $regularExpression.MitigationTarget -AllMatches).Matches.Value | Select-Object -Unique

    if ($matchTargets -eq "[application name]")
    {
        $matchTargets = ((($CheckContent | Select-String -Pattern ".*.EXE|.*.exe" -CaseSensitive).Matches.Value) -split (",")).replace("and ", "")
    }

    $matchTypes = ($CheckContent | Select-String -Pattern $regularExpression.MitigationType -AllMatches).Matches.Value | Select-Object -Unique

    foreach ($mitigationTarget in $matchTargets)
    {
        foreach ($mitigationType in $MatchTypes)
        {
            $matchNamesGroup = ($CheckContent | Select-String -Pattern "(?<=$($mitigationType):\n)(.+[\n\r])+" -AllMatches).Matches.Value
            $matchNamesGroupSplit = ($matchNamesGroup.trim()).Split("`n")
            foreach ($matchName in $matchNamesGroupSplit)
            {
                $mitigationNames = ($matchName | Select-String -Pattern $regularExpression.MitigationName).Matches.Value
                foreach ($mitigationName in $mitigationNames)
                {
                    $mitigationValue = ($matchName | Select-String -Pattern "(?<=$($mitigationName):\s)(\w+)" -AllMatches).Matches.Value
                    $processMitigations += '{0}:{1}:{2}:{3}' -f $mitigationTarget,$mitigationType,$mitigationName,$mitigationValue
                }
            }
        }
    }

    return $processMitigations
}

#endregion